• Table of Contents:
• Title Page
• Chapter 1: Security Policy
• Chapter 2: Security Organisation
• Chapter 3: Information Classification
• Chapter 4: Control of Classified Material
• Chapter 5: Personnel Security
• Chapter 6: Contractors and Other Third-Party Access
• Chapter 7: Physical and Environmental Security
• Chapter 8: Communications and Systems Security Management
• Chapter 9: Control of Access to Information Systems
• Cross-Reference to AS/NZ ISO/IEC 17799:2001
• Glossary of Abbreviations

Chapter 4: Control of Classified Material

General

1. Classified material must be controlled to:

• prevent unauthorised and improper access

• assist investigations into any breach of security

• reinforce the "need to know" principle.

2. Control is best maintained by an orderly system of paper keeping. This lets an organisation know:

• what classified material it has

• where it should be found

• whether it is where it should be

• who has or had access to it.

3. For one organisation to entrust its classified material to another, confident that it will be protected the same way, there must be a common standard of control.

"Need to Know" Principle

4. Fundamental to all aspects of security is that the only people who receive classified information are those who need it to complete the business in hand. Thus, employees receive access to classified information:

• only because they "need to know" it to complete their duties

• not because it would be convenient for them to know

• not by virtue of their status, position, rank or level of authorised access.

5. Adherence to the "need to know" principle helps protect the employee as well as the classified material.

6. The "need to know" principle applies both within an organisation and when dealing with people outside it.

7. If in any doubt whether or not a proposed recipient is authorised for access to a particular classification, staff must consult their supervisor or the DSO.

8. Security briefings and security education should make staff fully aware of their personal responsibility to apply the "need to know" principle.

9. Standard distribution lists are a useful aid in applying the "need to know" principle. Government organisations should keep the number of recipients on a distribution list and the number of copies distributed to a minimum.

10. The distribution of SECRET and TOP SECRET material should be strictly controlled under arrangements clearly defined in the organisation's security instructions.

11. Avoid including unnecessary, classified information in widely distributed documents. When a highly classified document covers a number of topics, produce it in sections if possible, so that the whole document is not distributed to those concerned with only part of it.

12. Carefully control the issue of classified documents from registries and libraries, on a "need to know" basis.

"Need to Retain" Principle

13. Only retain classified documents, especially circulated drafts, while they are in use. Once a classified document or draft is no longer needed, either return it to the originator or destroy it.

14. Security instructions on the "need to retain" principle should include:

• keeping all holdings of loose classified material to a minimum

• annual reviews of holdings of loose classified material

• how to return or dispose of unneeded classified material

• regular, for example six-monthly, reviews of all holdings of TOP SECRET material, to find what can be returned or destroyed

• storing TOP SECRET or SECRET documents, that need to be retained long-term, in numbered or otherwise identifiable folders, subject to the minimum control and storage standards for their classification.

15. For classified committee papers, also consider:

• staff with no direct interest in or need to retain copies should return them to the originator as soon as possible

• staff or branches of organisations with access to master sets, held in registries or in the original master record, should surrender spare copies

• committee secretaries should set a maximum period for retaining copies and advise committee members to return or destroy them when the period is over.

Workplace Procedures

Working in Secure Zones

16. Within the same building, different levels of security may be needed. Consider concentrating offices doing classified work in a separate, secure zone.

17. Allow only authorised personnel into secure zones.

18. Different levels of security may be needed within a secure zone. Consider barriers to control physical access between areas with different security needs.

19. For more advice on physical protection for secure zones, see Chapter 7 of this manual, and the NZSIS Protective Security Manual.

Room Security

20. During normal working hours, if classified documents are not protected in locked security containers, individual staff and their supervisors are responsible for ensuring that the documents cannot be read, handled or removed by unauthorised personnel.

21. Chief Executives and heads of government departments and agencies, State Owned Enterprises and Crown Entities must decide how to protect material that is classified IN CONFIDENCE, SENSITIVE or RESTRICTED in their organisation.

22. All material classified CONFIDENTIAL or above should be secured whenever not in use.

23. Material classified CONFIDENTIAL or above, including classified waste, should be locked in security containers whenever a room in a secure zone is unoccupied for over thirty minutes or as detailed in the organisation's security instructions.

24. Lock doors and close and secure windows when a room in a secure zone is unoccupied for less than the time specified in paragraph 0 and the classified material is not secured.

25. Make sure that all classified documents cannot be read from outside the room.

26. When cleaners or other ancillary staff may have access to a secure room, lock away all classified material when the room is unoccupied.

27. The need to protect material such as internal telephone directories varies by organisation and is at the discretion of the Chief Executive or head.

Open-Plan Offices

28. It may be hard to enforce "need to know" procedures in open-plan offices. Before working on classified material in open-plan offices, take precautions to prevent overlooking and eavesdropping by unauthorised people. Pay particular attention to the location of discussion areas and equipment such as computer monitors, printers, photocopiers and other reprographic systems.

Overhearing and Eavesdropping

29. Under normal working conditions, ordinary speech is not intelligible beyond a range of 15 metres; although in exceptionally quiet conditions, or where building structural anomalies or technical aids could conduct sound waves, the range may be greater.

30. In considering the risk of overhearing (as distinct from eavesdropping by technical means) in "sensitive" rooms, note any sounds that may mask speech.

31. The risk of overhearing is obviously greater when windows are open, especially at or close to ground level.

32. Avoid dictating TOP SECRET material. Dictation is more easily overheard than ordinary conversation. Take special precautions with dictation to prevent overhearing or eavesdropping.

33. Consult the GCSB if the organisation has concerns about overhearing or eavesdropping.

Overviewing from Adjacent Buildings

34. Telephotography can be used to photograph documents from any position at an angle greater than 15 degrees above horizontal. The effective range depends on the equipment used and the environmental conditions.

35. Consider all windows of rooms used for classified work as vulnerable to telephotography. Net curtains or opaque glass may provide protection, but this may be compromised by artificial light. To be safe, draw all curtains and blinds, including venetian blinds.

36. Consult the NZSIS if the organisation has concerns about overviewing.

Ancillary Staff

37. Just because ancillary staff (such as guards, receptionists, cleaners, maintenance workers, or canteen staff) are security vetted does not mean that physical security measures and the "need to know" principle are no longer necessary.

38. Use protective measures and security education to prevent ancillary staff from accessing classified material or overhearing discussions involving classified matters.

Clear Desk and Clear Screen Policy

39. Consider adopting:

• a clear desk policy for papers and removable storage media

• a clear screen policy for information processing facilities.

40. A clear desk and clear screen policy will greatly reduce the risk of unauthorised access, loss of, or damage to information. The policy should take into account security classifications and the organisation's risk assessment.

41. Apply the following guidelines:

• Where appropriate, store paper and computer media in suitable containers when not in use, even during working hours.

• Lock away classified material when not needed, especially when the office is unoccupied.

• Log off personal computers, computer terminals and printers when unattended.

• Protect personal computers, computer terminals and printers by key locks, passwords or other controls when not in use.

• Protect incoming and outgoing mail points and unattended fax and telex machines.

• Lock photocopiers outside of normal working hours (or protect from unauthorised use in some other way).

• Clear classified information from printers immediately.

End of Day Procedures

42. Line managers should be responsible for developing and implementing adequate procedures to protect classified material outside of working hours. This could include having all rooms checked at the end of the working day.

Identification of Staff Keeping Unusual Hours

43. Organisations holding classified material should keep a record of staff leaving the office late or coming in at unusual hours. Record the name of the employee, their branch and time of entry or departure.

44. Each organisation should decide what constitutes "working late" or "unusual hours". Generally, an hour and a half before or after normal working hours or any time on days the office is closed for normal business may be considered "unusual hours".

45. This record will help protect against unauthorised copying or removal of classified material, and will also protect the employee. While there may not be anything sinister in an employee working unusual hours, line managers and the DSO ought to know which staff members make a habit of this.

46. If an employee with access to classified material is regularly keeping unusual hours for no obvious reason, the DSO should make discreet inquiries to find out why. If no satisfactory reason is found, consult the NZSIS.

Removal of Classified Material from the Office

47. Classified material should only be removed from the office when:

• the material is needed for a declared purpose

• the employee removing the material has specific permission.

48. For specific requirements for storage and transmission of classified material, see Chapter 3 Annexes A to F.

Homeworking

49. Some organisations may have staff who work on official and classified information from home. For guidance on the security aspects of homeworking, see the NZSIS Protective Security Manual.

Conference Security

50. Guidelines on security at conferences, see the NZSIS Protective Security Manual.

Information Preparation and Handling

General

51. To protect classified information, an effective system of control is essential. Such a system must allow government organisations to know:

• what classified material is held

• what level of protection it needs

• where it is held

• who is authorised to see or use it; and, at the higher levels of classification, who has had access to or has used it in the past.

52. The system of control should apply to the following aspects of handling information:

• preparation

• marking

• registration and filing

• copying

• custody review

• spot checks

• microform

• destruction.

Preparation

53. Classified documents must be handled - prepared, copied, delivered, etc. - only by authorised personnel. Regularly review security arrangements for production and copying. Consider the following:

• establish separate production and copying facilities for classified documents

• number copies as they are produced or copied

• as soon as possible, dispose of spoilt copies as classified waste

• hold spare copies in secure storage, and dispose of as classified waste as soon as it is clear that they are surplus and no longer needed

• familiarise staff with precautions against unauthorised use of reproduction equipment such as photocopiers, printers and facsimiles; this includes making only the authorised number of copies

• make sure that instructions for handling, destroying and disposing of classified material are specific, practical and effective.

54. Treat the following as classified documents:

• cylinders

• discs

• tapes

• shorthand notebooks

• preliminary sketches

• working notes or sketches

• photographs

• negatives

• stencils

• carbon papers

• all magnetic and optical storage media used to record classified material.

55. Script on a cotton typewriter or printer ribbon is sometimes legible until typed over four or five times. Nylon ribbons are more resistant to indentation. While elaborate precautions with ribbons used to type classified documents are not necessary, consider the following:

• remove used ribbons before typewriters or printers are sent for repair

• treat single-use ribbons, such as acetate and other ribbons on certain makes of electric typewriters, as classified, consistent with the level of classification used on the typed document

• remove ribbons after working hours and whenever not in use; store accordingly; and destroy as classified waste as soon as they are completely used

• use similar procedures for correcting tape.

56. Print or stamp security classifications on documents clearly and distinctively, in the centre of the top and bottom of each page.

57. Colour coding makes it easy to identify classifications; and higher classifications clearly stand out. The accepted colour coding is:

TOP SECRET: red

SECRET: blue

CONFIDENTIAL: green

RESTRICTED, SENSITIVE and IN CONFIDENCE: black

58. When classification markings must be typed or printed in the same lettering as the text, consider using:

• wider spacing

• distinctive boxes

• underlining.

59. Print or stamp the overall classification of non-permanently bound books or files in the centre of the top and bottom of:

• the front and back covers

• the title page.

60. Classify all subsequent pages and insertions, such as maps, photographs or drawings, according to their contents.

61. For magnetic media, such as floppy discs, and optical storage media, such as CD-ROMs and DVDs, clearly and prominently mark the highest security classification on both the front of the disc and on its case.

62. For guidance on marking other classified material such as books, maps and films, see the NZSIS Protective Security Manual.

Registration

63. For documents classified higher than RESTRICTED, include a reference to the originator and the date of origin.

64. For documents issued in a series, such as committee papers, include a sequential number, to make it obvious when one is missing.

65. For documents classified CONFIDENTIAL and above, include page numbers.

66. For TOP SECRET and SECRET documents, include page numbers and total number of pages, to make it easy to check for completeness.

67. For TOP SECRET and SECRET documents in wide circulation, number each copy. This helps to record distribution and narrow investigation if necessary.

Making Documents "Accountable"

68. When a classified document is made "accountable", its holder must check and certify its safe custody at stated intervals, normally every six months.

69. All TOP SECRET documents must be accountable.

70. The originator of a document determines:

• whether it is accountable (if lower than TOP SECRET)

• marks that distinguish it as accountable

• frequency of checking and certifying.

Minimum Standards for Controlling TOP SECRET and SECRET Material

71. The minimum standards for controlling TOP SECRET and SECRET material are:

• record its location on preparation, arrival into the organisation, in use and in storage

• record its disposal or destruction

• keep these records for at least five years.

72. For further guidance on controlling TOP SECRET and SECRET material, see the NZSIS Protective Security Manual.

Automated Document Accounting Systems (ADAS)

73. ADAS may be used in place of manual systems to account for classified material. Computerising a manual system does not in itself enhance security. However, an ADAS may:

• increase security awareness

• tighten security

• improve efficiency as part of a larger electronic office project.

74. For further information on ADAS systems, see the NZSIS Protective Security Manual.

Copying, Printing and Facsimile Machines

75. To prevent unauthorised use, strictly control access to copying machines and printers, including microfilming equipment, and facsimile machines that are not protected by COMSEC systems.

76. Control depends on the circumstances and types of machines. When a machine is used to copy or print substantial quantities of classified material, control its use during working hours and immobilise it at all other times.

77. For guidance on additional control measures, including those to be taken when repairing or disposing of reprographic machinery, see the NZSIS Protective Security Manual.

Laptop Computers

78. See Chapter 9.

Custody

79. Only registry staff should issue classified files and return them to registries.

80. If a classified file is passed directly to another person in an emergency, the person passing the file should:

• inform registry staff as soon as possible

• inform their supervisor or an appropriate superior why it was necessary to pass the file directly.

81. Return all classified files not under current action to the appropriate registry.

Review

82. In addition to routine document destruction, organisations should periodically hold special destruction exercises. These exercises should:

• ruthlessly cull unwanted copies of classified documents, especially when master sets or originals exist, for example at head office

• take care, however, not to destroy original documents of historical value (see paragraph 0).

Spot Checks

83. Spot checks deter taking TOP SECRET and SECRET documents out of the office for unauthorised purposes.

84. Line managers should carry out spot checks:

• without warning

• at frequent but irregular intervals

• during normal working hours.

85. To prevent spot checks from degenerating to a tiresome chore:

• check only TOP SECRET and SECRET documents

• check only a few documents at a time.

86. For further advice on spot checks, see the NZSIS Protective Security Manual.

Microform

87. Classified documents may be recorded on microfilm, microfiche or microform, as long as:

• information is recorded by persons cleared to access it

• reproductions are subject to the same security procedures as the originals

• continuous reels of recorded material are classified according to the highest classification they contain

• classified documents that are subject to special security procedures are recorded separately

• when continuous reels contain both TOP SECRET and lower-classified documents, steps are taken to safeguard the TOP SECRET documents when people without access to them are viewing the lower-classified material.

Custody of Classified Material

General

88. Chief Executives or heads of government departments and agencies, State Owned Enterprises and Crown Entities determine the security arrangements for storing IN CONFIDENCE, SENSITIVE and RESTRICTED material.

89. CONFIDENTIAL, SECRET and TOP SECRET material must be locked in security containers when not in use.

90. CONFIDENTIAL, SECRET and TOP SECRET material should not be stored together with UNCLASSIFIED material.

91. IN CONFIDENCE, SENSITIVE and RESTRICTED material may be stored together with UNCLASSIFIED material.

92. When storing material of different classifications together, use the security standard of the highest-classified item.

Minimum Standards for Holding Material Classified CONFIDENTIAL or Above

93. Minimum standards for holding material classified CONFIDENTIAL have been established. They are based on:

• the security container and its lock

• the position or site of the container

• the use of approved security equipment.

94. For more on the relationships between security classifications, container sites, container groups and categories of locks and the list of approved equipments, see the NZSIS Protective Security Manual.

Transporting Classified Material

95. During transit, classified material is at risk from accidental or deliberate compromise.

96. To protect classified material when in transit:

• use reliable means of transport

• use robust packaging

• conceal the attractiveness, identity and source of the material, under plain cover.

97. With higher levels of classification, use an audit system to track the material and reveal any actual or attempted tampering.

98. Protect classified material in transit:

• within and between sites and establishments in New Zealand

• between New Zealand and countries overseas

• within and between countries overseas.

Overseas Safe Hand Service

99. Most official material sent to, from, and between New Zealand government posts overseas is handled by the diplomatic mail service controlled and operated by MFAT. This service provides for:

• the regular dispatch of classified material by diplomatic safe hand bag in the care of a diplomatic courier

• the regular dispatch of unclassified material by unaccompanied diplomatic airfreight bag.

100. If classified material must be transferred overseas, seek advice from MFAT on how best to send it.

Commercial Postal and Courier Services

101. Material classified up to CONFIDENTIAL may be carried by commercial courier or post within New Zealand as long as the originators find the risk of compromise acceptable. Use the packaging and sealing provisions in Chapter 3 Annexes A to D.

102. Material classified SECRET must not be posted. It may be carried, only within New Zealand, by a commercial courier who is approved for the purpose by NZSIS. The courier must be contracted to follow procedures outlined in NZSIS Protective Security Manual.

103. Material classified TOP SECRET must not be posted nor carried by commercial courier under any circumstances.

Minimum Requirements for Transmission and Transport

Level	Classified Information	Classified Equipment
IN CONFIDENCE	Handle, use and transmit with care. See Chapter 3 Annex A.	Control, use and transport with care.
SENSITIVE or RESTRICTED	Handle, use and transmit with care. Take basic precautions against accidental compromise or opportunist attack. See Chapter 3 Annex B and C.	Control, use and transport with care. Take basic precautions against accidental compromise or opportunist attack.
CONFIDENTIAL	Handle, use and transmit to make accidental and deliberate compromise unlikely. Where possible, make actual or attempted compromise unlikely. Where possible, make actual or attempted compromise likely to be detected. See Chapter 3 Annex D.	Control, use and transport to make accidental compromise unlikely. Offer a degree of resistance to deliberate compromise. Control knowledge of planned movements. Make actual or attempted compromise likely to be detected.
SECRET	Handle, use and transmit to minimise the chance of accidental compromise. Offer a degree of resistance to deliberate compromise by a professional attack. Where possible, detect actual or attempted compromise and help identify those responsible. See Chapter 3 Annex E.	Control, use and transport to minimise the possibility of accidental compromise. Offer a degree of resistance to deliberate compromise by a professional attack. Limit knowledge of planned movements. Detect actual or attempted compromise and help identify those responsible.
TOP SECRET	Handle, use and transmit to prevent accidental compromise. Offer a degree of resistance to compromise by a sustained and sophisticated attack. Where possible, detect actual or attempted compromise and make it likely that those responsible will be identified. See Chapter 3 Annex F.	Control, use and transport with every possible precaution against accidental damage. Offer a degree of resistance to deliberate compromise by a sustained and sophisticated attack. Strictly limit knowledge of planned movements to those with a "need to know". Detect actual or attempted compromise and make it likely that those responsible will be identified.

Tamper-Evident Seals, Tapes and Envelopes

104. Envelopes containing classified documents for distribution outside a specially protected area must be adequately sealed. For details on currently approved sealing material and methods, see the NZSIS Protective Security Manual.

Mechanical Document Transfer Systems (MDT)

105. MDT systems use rails, tracks or pneumatic tubes to carry documents within and between buildings. Before installing an MDT system, assess the security implications for each site.

106. For more about MDT systems, see the NZSIS Protective Security Manual.

Destruction of Classified Material

107. Until classified material has been reduced to a state where it cannot be read or reconstituted, it retains its classification. Procedures for handling, recording, transmitting, and destroying classified waste are the same as for any material with that classification.

108. For more about types and standards of destruction, see the NZSIS Protective Security Manual.

Record of Destruction

109. Keep a record of the destruction of TOP SECRET and accountable documents.

110. Some organisations may also wish to keep a record of the destruction of certain other classified documents or material.

111. Records of destruction should include:

• the date

• the signature of the person carrying out the destruction

• the authority for the destruction

• for TOP SECRET material, the signature of a second witness to the destruction.

112. Before destroying any file, folder or document, first verify that all TOP SECRET and accountable pages and enclosures are present and complete.

113. Record the destruction of individual TOP SECRET items in files by:

• filing a note of the destruction in place of the document

• marking the relevant entry in the file index sheet.

114. Record the destruction of unfiled TOP SECRET documents by marking the relevant entry in the incoming-document record.

115. Record the destruction of accountable documents by marking their records.

116. Record the destruction of TOP SECRET files/folders by marking their indexes. The destruction of each TOP SECRET document in a file/folder does not have to be separately recorded.

117. For documents bearing an endorsement marking, take care to follow relevant instructions.

118. Certain categories of documents may not be destroyed by the holder, but instead must be returned to the originator or appropriate controller for destruction.

119. Retain records of the destruction of TOP SECRET material for as long as possible - as a general rule, aim for at least five years.

Minimum Requirements for Destruction

120. Classified waste is a potential source of information. Before it is destroyed, hold it in an appropriate container, separate from other waste. Security controls adopted by organisations for classified waste must meet the following levels:

Level	Classified Information	Classified Equipment
IN CONFIDENCE	Make compromise highly unlikely	Dispose of with care to make compromise highly unlikely
SENSITIVE or RESTRICTED	Make reconstruction highly unlikely	Dispose of with care or destroy to make reconstitution unlikely
CONFIDENTIAL	Make retrieval and reconstitution unlikely. Make actual or attempted compromise likely to be detected.	Make retrieval and reconstitution highly unlikely. Make actual or attempted compromise likely to be detected.
SECRET	Make retrieval or reconstruction highly unlikely. Detect actual or attempted compromise and help identify those responsible.	Make reconstitution highly unlikely. Prevent identification of constituent parts. Detect actual or attempted compromise and help identify those responsible.
TOP SECRET	Do everything necessary to: prevent retrieval or reconstitution detect actual or attempted compromise and make it likely that those responsible will be identified	Do everything necessary to: prevent reconstitution detect actual or attempted compromise and make it likely that those responsible will be identified

Methods of Destruction

121. However material is destroyed, it should done by or under the strict supervision of a staff member with appropriate security clearance. The responsible staff member should:

• accompany the material to the point of destruction

• ensure that destruction is complete

• give or witness a destruction certificate, as necessary.

122. Before destruction, all tapes, discs and similar magnetic and optical storage media which have been used to record classified information should be erased.

123. For details on approved methods of destruction of classified documents and other material, see the NZSIS Protective Security Manual.

124. For advice on the destruction of magnetic and electronic media, see the GCSB's NZSIT 207, Declassification of Storage Media.

Emergency Destruction

125. Although a need to plan for emergency destruction of classified material may appear unlikely, such a possibility should not be ignored. Where appropriate, consider the following contingency precautions:

Keep highly classified material in storage to an absolute minimum. Unless there is an essential need to retain it, consider destroying classified material when action on it is complete.

Establish an order of priorities for destruction. Keep the list in a location that staff know and can access without delay in an emergency.

Prepare a plan that uses all available destruction equipment. Periodically check that the equipment is serviceable and that staff know how to operate it.

Consider alternative destruction facilities in the event of power failure. For example, adapt paper shredders for manual operation or use an emergency incinerator.

National Archives

126. The Archives Act 1957:

• establishes a repository known as the National Archives

• transfers to the National Archives all "public archives" - public records, with certain exceptions, at least 25 years old, no longer in use, and worthy of permanent preservation

• lets the minister of a government organisation defer transfer of classified records

• lets an organisation make conditions on public archives transferred to the National Archives, including how they can be accessed

• requires the Chief Archivist (not the organisations) to authorise destroying records that are no longer useful to the organisation and not valuable enough to warrant their continued preservation.

127. Before transferring papers to the National Archives, an organisation normally subjects them to a process of scrutiny. This may include seeking help from the Chief Archivist. If the Chief Executive or head of the organisation holding the records agrees, the Chief Archivist or a duly delegated and suitably security-cleared representative may inspect classified records.

128. Records transferred to the National Archives may be withheld from the public because:

• the organisation that transferred them wants public access restricted; in this case, a person may request access to the records from the organisation, under the provisions of the Official Information Act 1982

• the Minister of Internal Affairs has directed the Chief Archivist to withhold access to a record or class of record, to satisfy the public policy of the New Zealand Government or that of another country

• the record is in a specified class of records transferred from the New Zealand Police or the Ministry of Justice, which require written authorisation from the respective minister

• the record is fragile or undergoing description, repair or other treatment.

[ Previous | Next ]